As the United States Department of Defense (DoD) undertakes the largest cloud migration in history, beginning with Microsoft’s winning bid for the Joint Enterprise Defense Infrastructure project, data security in the cloud is of paramount importance for this project. Aggressive cyber threats that aim to undermine the US Military’s efforts to keep America and its allies safe, become even more alarming with the DoD network moving to the cloud.
January 29, 2019 was a dreary day in Washington, D.C. both outside and inside the Capitol Building. Clouds and 40℉ temperatures made for uncomfortable conditions outdoors. Anyone attending Director of National Intelligence Dan Coats’ briefing to the Senate Intelligence Committee found little refuge from the chill outside. Director Coats detailed a depressing state of affairs in the Office of National Intelligence’s annual Worldwide Threat Assessment of the Intelligence Community report. According to Director Coats, cyber threats are the #1 threat against the United States, and the US Military is the likely target. In fact, China and Russia are already staging cyber espionage, attacks, and influence, and these assaults are guaranteed to increase in the future.
“As the world becomes increasingly interconnected, we expect these actors [China and Russia], and others, to rely more and more on cyber capabilities when seeking to gain political, economic, and military advantages over the United States and its allies and partners.”
-Dan Coats, Director of National Intelligence, Worldwide Threat Assessment of the Intelligence Community, Opening Statement, Tuesday, January 29, 2019
Presumably, this warning has been gnawing at the team members in the Department of Defense (DoD) responsible for the Joint Enterprise Defense Infrastructure (JEDI) project. JEDI will migrate the DoD’s data and workloads to the cloud as the DoD embraces an enterprise approach to cloud computing. In October 2019, the JEDI contract was awarded to Microsoft Azure to help implement the DoD cloud strategy. Microsoft Azure will be expected to keep the DoD cloud environment safe and secure, which is a steep ask given the threats outlined in the Worldwide Threat Assessment report. Trusting Microsoft Azure with the DoD cloud is a good strategy, but whether it is good enough when Russia and China are unrelenting in their aim to disrupt America’s security is undetermined.
The DoD is creating guidance for cloud security in advance of JEDI’s implementation. DoD’s Chief Information Officer, Paul Jacob described the guidance as a “Zero Trust” model which is a security model that increases cyber defenses by narrowing the defenses from a wide network perimeter to micro-perimeters.
The threat is not limited to the JEDI project. The Navy has moved its ERP to Amazon’s GovCloud, the Navy’s Sea Warrior Program (PMW 240) is providing more IT solutions in the cloud, and PEO EIS is moving IT services to the cloud to support the Army. Any cloud infrastructure is vulnerable and every weakness in our military’s network infrastructure will be exploited by the United State’s adversaries. Protecting against cyber threats in the cloud will have widespread benefits for a host of DoD stakeholders.
The data traversing the DoD’s network can mean life or death for our warfighters around the world. Maintaining the security of the DoD’s data and workloads in the cloud is imperative to the safety of our servicemen and women. As the JEDI implementation nears and the security of cloud data is shifted to the micro-perimeter, protecting virtual data traffic and empowering virtual applications require full data visibility within the cloud.
Fortunately, visibility of data packets in the cloud is possible today. The solution is similar to how visibility is provided in traditional on-prem data centers using network test access point (TAP) solutions. As the DoD migrates into the cloud from their traditional data centers they will lose physical access to network traffic and applications that were housed in the data center. Virtual TAPs or out-of-band packet mirroring solutions can access cloud traffic and send those virtual packets to applications that reside in the cloud and remain in a data center.
A traditional network TAP is a hardware device that allows network traffic to flow from ports A to B and B to A, without interruption, creating an exact copy of both sides of the traffic flow. TAPs operate both passively and continuously without compromising network integrity. The duplicate copy of network traffic can be used by monitoring, security, and analysis tools. A virtual TAP is the software version of a traditional TAP. A virtual TAP is software that accesses, processes, and delivers packet-level traffic from virtual machines (VMs) and containers in the cloud. A virtual TAP duplicates cloud traffic and sends it to desired tools and applications. Virtual TAPs are ideal for the DoD to ensure JEDI is implemented with total security from the onset. Data visibility in the cloud is everything - without it threats cannot be detected and the network can’t be protected.
Unfortunately, the DoD cannot rely solely on Microsoft Azure to provide virtual traffic visibility through a native, or built-in, virtual TAP because Azure does not offer this type of service. Interestingly, AWS (which is legally protesting Microsoft’s JEDI contract in the US Court of Federal Claims after becoming the runner up in the JEDI bidding) offers a native virtual TAP called “VPC traffic mirroring,” though it has limitations. There isn’t information available that details Microsoft’s plans for offering a native virtual TAP within Azure now or in the future. The DoD will need to consider third-party options to provide packet visibility in the cloud, such as Garland Prisms.
Garland Prisms is an out-of-band packet mirroring and decryption solution, enabling your network-based tools to see deeper into your modern compute environments, providing visibility into Kubernetes and cloud environments without impacting performance or architectures and without modifying your deployment architectures.
Evaluating Prisms early in the JEDI implementation will ensure a crucial layer of visibility is established at the onset. There are five recommended criteria for the DoD to evaluate Garland Prisms (or any third-party virtual TAP):
- Compatibility with Azure. Garland Technology’s Prisms works seamlessly with Azure and is an ideal solution to access and copy virtual traffic within Azure.
- Ease of deployment. Garland Technology’s Prisms can be installed on VMs and start passing cloud packets within minutes of set-up. Prisms offers customary SAAS management as a control plane with the data staying within assigned cloud environment.
- Scalability. Garland Technology’s Prisms can replicate cloud packets in a single VM to many destinations. The destinations can be applications or tools based in either the cloud or the traditional data center (adding a piece of equipment called a network packet broker can help accept virtual traffic and move it successfully into the data center).
- Affordability. Garland Technology’s Prisms offers a cost-effective pricing model that allows users to scale up as needs arise. Reducing IT costs and streamlining timelines are major priorities for the DoD.
- Easy to learn. Garland Technology’s Prisms has an interface with drag-and-drop simplicity that is easy to learn. Prisms is ideal for environments like the military where staff rotations are frequent and new assignees must learn a network configuration quickly and correctly. Perhaps the most important evaluation criteria is the fifth because the cyber security workforce in the United States is cited as a major disadvantage for protecting the United States. A report by Commerce and Homeland Security Secretaries called “Building the Foundation for a more secure America’s future” states it is imperative to recruit, train, and retain cyber security professionals across all government departments, including the DoD.
The DoD’s JEDI project is a tremendous endorsement of the cloud as a viable option for critical networks like the DoD’s Defense Information Systems Network (DISN). Data visibility in the DoD cloud is beneficial because DoD network traffic in the cloud cannot be protected from threats if there are no eyes detecting those threats. The visibility provided by a Cloud Solutions like Garland Prisms can help the DoD safeguard its cloud network from adversaries like China and Russia, who are probably applauding the DoD’s migration to the cloud but for nefarious reasons.
Experts anticipate the 2020 Worldwide Threat Assessment report will continue to warn of imminent threats to the DoD’s cloud security. To think that an uncomplicated and economical solution like Cloud Visibility can help protect the largest and most important network in the world will brighten anyone’s day regardless of the weather or the latest threat assessment from the Office of National Intelligence.